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"Slammer" worm chokes the internet 


27 January 2003 

By Will Knight 

A highly contagious computer worm infected over a quarter of a million computers over the 
weekend, choking many internet and telecommunications networks as it spread. 

The worm, known as “SOL Slammer”, is thought to have surfaced in Asia on Saturday 
morning. By Sunday, an estimated 250,000 computers had been infected worldwide, according 
to the US anti-virus company McAfee. 

Slammer installs itself on computers running a faulty version of a Microsoft database package 
called SOL Server 2000. Most desktop computers remained untouched, as the package is used 
primarily by system administrators. 

In an effort locate other hosts to infect, the worm bombards computers chosen at random 
with small packets of information. The volume of messages originating from the worm 
increased exponentially as the worm spread from Saturday. 
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Some experts warned that the worm could start spreading more aggressively on Monday, as 
more computers were switched on and connected to the internet. 

Bandwidth choker 

Graham Cluley, chief researcher at UK anti-virus company Sophos, says the initial rapid 
spread of the worm may have been due to machines being unattended over the weekend. 
“Most system administrators weren’t around to patch their systems over, which gave Slammer 
time to breathe,” he told New Scientist. 
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the country’s Information and Communication Minister, Lee Sang-Chul, said the worm had 
caused a “total internet breakdown”. 

In the US, the worm disrupted the Bank of America’s computer systems rendering most of its 
13,000 ATM cash point machines unusable. 

Phil Huggins, managing security architect at the security firm @ Stake in the UK, says the 
worm was able to rapidly churn out huge amounts of traffic because it used a less common 
communication protocol called UDP. This does not require it to wait for a return “handshake” 
from a targeted machine. 

Escalation exploit 

An alert issued by the US government’s Computer Emergency Response Team (CERT) on 
Sunday warned that the worm could be used to gain control of a machine, although there is no 
evidence of this happening: “It may be possible for an attacker to subsequently leverage a 
local privilege escalation exploit in order to gain Administrator access to the victim system.” 

A software patch to fix the problem with SQL Server 2000 was released by Microsoft’s in July 
2002. Some security experts have suggested that installing the patch is complex and may have 
contributed to the number of unprotected machines. But Cluley says its up to administrators 
to rethink their policy on applying patches: “Don’t wait six months for a worm to arrive.” 

The worm infects any machine running an un-patched version of Microsoft’s SQL Server 2000, 
as well as applications created using add-on software called Microsoft’s SQL Server 2000 
Desktop Engine. 

Microsoft launched an initiative to improve the security of its software in January 2002. 
Slammer is the most widespread worm to hit the internet since Code Red, which stuck in July 
2001. 
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